BYOD, HIPAA are rock and hard place for CIOs

By: Jonah Comstock | Dec 6, 2012        

Tags: | | | | | | | | |  |
(Left to Right) Penelope Hughes, Andrew Litt, Rohit Nayak, and Omar Hussein

(Left to Right) Penelope Hughes, Andrew Litt, Rohit Nayak, and Omar Hussein

When Meaningful Use Stage 2 roles out in 2013, one guideline hospital’s EHRs will have to meet is increased protection of patient health information. That means the HHS Office of Civil Rights (OCR) will be doing audits for HIPAA-compliance.

The OCR fined Massachusetts Eye and Ear associates $1.5 million in September when a laptop with patient data was stolen. In June, the Alaska Department of Health and Human Services was fined $1.7 million for one stolen USB drive.

Those audits are particularly daunting in an environment where Bring Your Own Device (BYOD) policies are becoming so prevalent that hospital information officers don’t even see them as a choice.

“When I first created this presentation, it was the question of whether you want to implement BYOD,” said Brian Balow, a member of the law firm Dickinson Wright. “The cows have kind of left the barn on that one.”

A recent KLAS survey of 105 CIOs , IT specialists, and physicians in the US, found that 70 percent used mobile devices to access their electronic health records, including customers of nearly every major EHR (Epic, Cerner, GE, Allscripts, Siemens, MEDITECH, and McKesson). The vast majority of organizations, 94 percent, were supporting Apple, with 49 percent and 44 percent supporting Android and Microsoft, respectively.

As physicians and health administrators adopt mobile devices in hospitals, it’s up to hospital IT departments to keep up with them and make sure the patient data on those devices is secure.

“This is part of a broader macro-trend in security,” said David Houlding, Healthcare Privacy and Security Lead Architect at Intel. “It was very topdown, where IT departments made decisions about security. It’s going to much more of a detect, respond, and govern security model.”

With the inescapable reality of BYOD pushing them from behind and the threat of massive fines for HIPAA violations looming ahead, hospital CIOs are finding themselves in need of security solutions fast.

Houlding says physicians are sensitive to security concerns, but their primary worry is treating patients.

“From the healthcare worker’s standpoint, security is impeding the quality of care,” he said. “We’ve got to provide security that’s usable. So if we put encryption on a device, it cannot slow that device down, or providers will seek an alternative, which can be risky.”

Most of the security solutions hospitals are adopting have potential negative effects on the effectiveness of the tools. For instance, if the hospital sets up a thin client so patient information is stored on a server and merely display on doctors’ devices, that means the doctor’s charts will fail if the network connection is compromised.

Of course, it’s not just the threat of fines that will drive hospitals to adopt security solutions, it’s also maintaining a trust relationship with patients, who data shows are increasingly concerned about security.

Andrew Litt, Dell’s chief medical officer, said that a recent study showed that if patients lacked confidence in the security of their data, 50 percent would withhold their data, 38 percent would forgo care, 38 percent would seek care elsewhere, and 70 percent said it would reflect poorly on the institution. Finally, 87 percent thought someone should lose their job over a breach.

Litt also said that hospitals are one of the biggest targets for hackers, who can sell health records for about $50 on the information black market.

Omar Hussein, CEO of Imprivata, said the questions of security in health are fundamentally different from in other industries.

“[In] every other industry, security is a single issue: keeping the bad guy out. In healthcare, it’s not just about that. It’s actually keeping patient information in,” he said. “When someone steals your credit card, the bank will make you whole, you’ll get the 1,000 bucks back. But if information about your STD or that you’re taking medicine for depression gets out, how do you get that back?”